Tor Browser 6.0.7 is released

Tor Browser 6.0.7 is now available from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Firefox and contains, in addition to that, an update to NoScript (2.9.5.2).

The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect.

Tor Browser users who had set their security slider to "High" are believed to have been safe from this vulnerability.

We will have alpha and hardened Tor Browser updates out shortly. In the meantime, users of these series can mitigate the security flaw in at least two ways:

1) Set the security slider to "High" as this is preventing the exploit from working.
2) Switch to the stable series until updates for alpha and hardened are available, too.

Here is the full changelog since 6.0.6:

  • All Platforms
    • Update Firefox to 45.5.1esr
    • Update NoScript to 2.9.5.2

Update: We would like to remind everyone that we (The Tor Project) are having our 2016 fundraising campaign! Donate today!

Seth Schoen

November 30, 2016

Permalink

Could you explain where to find the security slider bar? I went into options, security but didn't see a slider bar. Thank you

Click on the green onion, choose "Privacy and Security Settings", and you should see the security slider.

There's also a little line that appears on the very first launch of Tor Browser, saying something like "Hey there's a security slider, check it out!"

so the browser auto updated on me and now when i start the tor app it takes me to the bare bones firefox browser and wont let me connect to .onion sites.... any ideas?

Hm... this is weird. On which operating system did this happen? Do you know from which version you updated? Did you have your Tor Browser modified? Anyway, it seems a safe bet is to download a fresh copy from our website: https://www.torproject.org/download/download-easy.html.en. Still puzzling as you are the only one reporting this so far.

EDIT: Before you are deleting the non-functioning Tor Browser could you make a copy of it and pack it up and maybe make it available somewhere to us for further inspection? I'd be very interested to understand what went wrong in your case.

Seth Schoen

November 30, 2016

Permalink

Thank you for all the great work.
Please don't take this as a complaint; is there any kind of a rough estimate on the general timeframe for Orfox to get this update on F-Droid, or is the vulnerability desktop only?
Keep fighting censorship and oppression, this world is going to hell in a handbasket and Tor is the only beacon of hope for citizens of totalitarian dictatorships.

i agree with your point..

my point would be there should be at least an rss feed or the sort that which we can subscribe to that let us know if any tor friendly software outside the the tor project that been updated for what ever reason.

Seth Schoen

November 30, 2016

Permalink

Would this exploit work even on Selfrando? What about with the sandboxed Tor Browser by the end of this year?

> What about with the sandboxed Tor Browser by the end of this year?

It would probably crash the browser, because preventing crashes isn't something the sandbox is supposed to do.

However, assuming there was a Linux payload, it would need to be a lot more sophisticated than "get the IP address, and phone home" because the sandbox that firefox has, doesn't have an IP address, or a direct connection to the internet.

Sort of. It talks to a surrogate service that looks enough like the control port for the various things that need the control port to work. Depending on how the sandbox is configured (up to the user) this can be either "the absolute minimum for browsing and New Identity to work" or "also enable the Circuit Display".

Even when the Circuit Display is enabled, Tor Browser only sees circuit/stream information for the circuits/streams it created. If you are scared of the firefox process knowing the IP of your Guard or Bridge(s), people shouldn't enable the Circuit Display, when using the Linux sandbox.

Can't New Identity work without the ControlPort, by just changing the socks credentials?

Firefox knowing what the guard is seems like a very bad idea. Wouldn't it be prudent to assume that actors like the FBI can access "metadata" like who was connected to what guard when, at least for some guards and users if not all of us?

As nice as the Tor Button circuit display is, I think it really needs to be in a different application. Expecting users to be able to make an informed decision about whether to allow Firefox to identify their guard seems reckless.

@yawning
Is it possible to make stock Tor Browser only need newnym, as in TAILS?
Then it's as easy as instaling a filter for the control port without having to recompile Tor Browser.
Even better still if Tor Browser could drop privileges itself, e.g. by using a builtin filter and somehow making it harder for shellcode to load the unfiltered library(zero out the address to dlopen once browser is done starting?), or if Tor control port only had newnym enabled by default, or came with one control port for dangerous stuff and one that doesn't need protected(and Tor Browser used the latter).

Basically, there are tons of solutions with various tradeoffs. Are any being considered?

It depends?

There's no technical reason why this would be impossible (I ran Tor Browser against a filtered control port for a while before working on the sandboxing stuff), but it would require extra code to get it to play nice if Tor Browser is the app that launches the tor daemon (standard usage).

As far as I know, no one is working on such a thing in a context other than "when sandboxed".

...it was "likely" used to target visitors of a dark web child pornography site, Motherboard has found

In other words, Vice is once again doing their job as a controlled opposition to put the awakening masses back to sleep so TPTB can exploit them unsuspected.

Micah Lee (EFF and FOTP) tweeted earlier today at twitter.com/Snowden about a possible cyberattack on Riseup, which is an essential part of Tails ecosystem and helps social justice activists and environmentalists all over the world. This may well be related to the exploit just fixed by TBB 6.0.7

More details should be forthcoming from Riseup.

[Moderator please pass this comment]

Actually, it is likely being used to target bloggers, journalists, union organizers, social justice organizers, technologists, and political dissidents in various nations including USA.

[Moderator: please pass this comment]

> i like the exploit! it goes after childpron users! https://motherboard.vice.com/read/tor-browser-zero-day-exploit-targeted…

You may agree with the sentiments expressed by a commentator in Shari's blog (see her post about the current fundraising drive). I have not permitted to respond in her blog, but I'd like to try to respond to that commentator here:

You write:

> humanity is based on greed, money, and power.

Following the definition of Herodotus, "History" has too often been taken to mean "the narrative of major national-scale events". (Actually, Herodotus went even further than that: he defined history as the narrative of wars fought by the Greek city states!) Put another way: some would confine history to the study of the (mostly unintended) consequences of decisions taken by political/economic/military leaders. But I hope you will seek out and read a wonderful book which takes a very different view: Howard Zinn, A People's History of the United States, HarperCollins, 1999.

Whenever I meet new people, I am always impressed anew by the fact that--- despite the poor impression of humanity which one might receive from reading mainstream news--- most people sincerely want very much to do good deeds. Many people--- especially the often young and idealistic breed known as "student activists"--- are motivated more by the desire to leave the world the better place than they found it than by naked greed or self-interest, and they are eager to work long and hard to achieve their goals. Zinn's magnificent history offers readers the chance to appreciate how history can be viewed as a struggle between ordinary people and the bosses and political leaders, who too often feel that might (which they possess) makes them right. And too often, those with wealth look enviously upward, rather than looking downward and resolving to help those with far less resources of wealth and power than they themselves enjoy.

To some extent these contrasting world views could be taken as reflecting the distinction between the socialist outlook exemplified by Howard Zinn and Sen. Bernie Sanders, and the libertarian outlook exemplified by the novels of the Russian exile Ayn Rand and the politics of certain Trump advisors.

> Those with money become hungry for power influenced by greed.

The contemporaries of Herodotus, living in a society which all too often executed its leading intellectuals (e.g. Socrates) for becoming too successful in their criticism of the government, ardently discussed very similar propositions. Later, the Romans taught politicians how to exploit "history" as propaganda (c.f. Julius Caesar's self-serving books describing in detail his conquests). A little later, Tacitus (himself a former government official) wrote disturbing accounts of the increasing corruption among the Roman economic/political elite, and writers like Suetonius made their fortune spreading salacious stories (often based upon fact) about the bizarre and horrifying behavior of the worst Roman emperors.

> [when calls for redistribution of wealth] threatens those with power (Governmental agencies, political powers, evil corporations, etc.) then they will try to evade or destroy the attempts of the redistribution.

Indeed, you might be interested in the dismal history of such episodes as the Pugachev rebellion (against Catherine, Empress of all the Russias), the Haitian revolution, the Cuban revolution, and a host of ongoing perpetual struggles in Latin America, Asia, and Africa which center around demands for redistribution of land, money, and democratization of political decision making.

You say you believe that

> [law] enforcement agencies should have the capabilities to source data to monitor illegal activities (ex. a suspected child molester, etc.

The devil, as always in complex societies, is in the details you left out.

What does it mean to say that X is a "suspected child molester"? Does anyone who uses Tor qualify? US AAG Leslie Caldwell--- whom we have learned is a "she" not a "he" as we mistakenly pronominalized her in a comment elsewhere in this blog--- seems to argue in her DOJ blog calling for Congress to let the changes to Rule 41 to through at midnight 1 Dec 2016, that the answer is "yes" [sic].

What does it mean to say that Y is a "suspected extremist". Does anyone who is a member of Riseup qualify? According to at least one judge in Spain, the answer is apparently "yes" [sic].

What does it mean to say that Z is "suspected of potential future radicalism"? According to CVE programs being implemented in all the "democratic" "Western" nations, most notably in the US, the answer is apparently "every schoolchild", or even "every citizen".

Once LEAs start down the slippery slope towards considering that they are "justified" [sic] in regarding every citizen as constantly under suspicion of *everything*, on the theory that everyone must have a positive probability (however tiny) of performing some misdeed at some point in their lives, they will wreak havoc on the lives of millions of ordinary citizens who not only are not reasonably suspected of having "done something wrong", far less reasonably suspected of having committed some heinous crime, but who would never have come close to doing anything terribly wrong if the government had simply left them in peace.

We are entering into a century which seems certain to see millions of citizens locked up in "preventative detention camps". Failing empires have had resort to such measures before. The British locked up most of the civilian population of the Boer states during the Boer wars, where many of them died of starvation or disease. In earlier centuries, the USG locked up entire First American tribes on the theory promulgated by Gen. Sheridan, that "the only good Indian is a dead Indian", and indeed a large percentage of those locked up in American concentration camps died. During WWII, the USG again locked up millions of US citizens of Japanese ancestry in concentration camps because officials decided they were all *potential* "spies".

Close advisors of Donald Trump have cited these dismal examples as justification for their stated intention to do the same thing to Muslim Americans, Mexican Americans, Socialists (supporters of Bernie Sanders), and maybe even Democrats (supporters of Hillary Clinton). Or at least, their stated intention to seriously discuss doing such things. What a tragedy for America. What a terrible example for the entire world, at a time when all the world's governments seem to be turning in unison to the worst kind of authoritarianism, the kind tinged with the sort of ethnic hatreds which have historically always led to state-sponsored genocides.

> This data collection should be against the law when it does in fact breech my privacy. Just because I look at camera's on google doesn't mean that I should be receiving advertisements about it for the next week and a half on 90% of the non-camera webpages that I visit.

Julia Angwin's book Dragnet Nation, which I also recommend, focuses on this kind of invasion of privacy. But however awful Google and Comcast are or may yet become, it seems unlikely that they will be kicking down doors, tossing grenades at infants, or dragging wailing citizens off to labor camps for "political re-education" by slave labor.

Tor users are generally far more concerned with invasions of privacy by government agencies such as GCHQ/SCA, NSA/FBI/NCTC, because these dragnets are the ones which construct what NSA whistle-blower William Binney memorably described as "turnkey fascism". And with the election of Donald Trump, many frightened citizens all over the world--- and, ironically, many leaders of the USIC--- fear that prediction, which most people long dismissed as "paranoid fantasy", has come to pass.

I think the best way to understand why civil libertarians are so horrified by the prospect of state-sponsored dragnets feeding CVE programs is to study in detail the original documents from the Snowden leaks, some of which are collected here:

https://www.eff.org/nsa-spying/nsadocs

(It's a big job because there are many acronyms to learn and many puzzle pieces to fit together, but like anything with a steep learning curve, once you get into this at some point your progress will become much more rapid.)

You suggest that we who warn of the horrors to come in America believe that "everyone is out to get us" [sic]. No, we are warning that NCTC is out to get us, and we have cited the documents which explain what we mean, and confirm our claims. Don't believe it because we say it is so, believe it because (in leaked documents) NCTC explains what they intend to do to us.

You write that Americans have lost faith in the desire of their government to protect and uplift them. Indeed we have, in many cases because we ourselves have been directly targeted by state-sponsored espionage campaigns. Some of the leaked Snowden documents specifically confirm that we have been, and no doubt will continue to be, indefinitely, on the list of people to be punished with an escalating sequence of reprisals. Don't believe it because we say it is so, believe it because people giving TS/SCI talks at NSA and GCHQ headquarters said it is so. (See the EFF repository.)

If our writings at times seem to suggest that we take the struggle of The People v The Man very personally, that is because we do, because we have learned that *they* marked us down as "enemies" long before we had ever heard their names, in the lost era of innocence, in the halcyon days when we naively believed that if we lived quietly and behaved well by seeking to do right and avoiding demands by our social superiors that we do evil, we would be left in peace, because as we knew very well, we certainly are not and never were "criminals" or "evildoers". But as we have learned, simply by bearing the "wrong" color skin or adhering to the "wrong" religion or coming from the "wrong" countries, we are regarded in the halls of real American power (the USIC) as actual or potential "Enemies of the State" [sic].

The literary works of Blok, Babel, and other revolutionary writers, seem strangely relevant to the experience of the masses in a another land (the USA) approximately a century later, just as Russians who endured the horrors of Stalinism once took solace in the poetry of Whitman and Yevtushenko.

Come out, come out!
On this day of sorrow, the long shadow of night
Spreads over the earth.
The servile faith in our little father the czar has collapsed.
...
Look around: we're lifeless
And without fear because of your servants,
Because of the merchants and the kulaks,
Because of the squires and the industrialists.
...
The czar listened to his people without speaking,
And moved his hand...
All around, the earth was shaken by a terrible sound
And the palace square was covered by corpses:
The people fell, riddled with bullets and lead.

Katz was writing about a massacre which occurred during the 1917 revolution, but he almost could have been writing about the future history of Standing Rock, or the next big anti-Trump rally in some American city.

Dear person who writes enormous blog comments:

Please focus and stick to a particular point? Your comments end up filling the comment section so nobody can notice or find the other comments, and that turns into no fun for anybody, including those of us who are trying to make sure the comment section remains useful.

Thanks!

I found this post to be erudite, informed, educational, and provocatively valuable. Thank you so much.
COMMENT: I think the inquisitorial excesses of historical Roman Catholicism should also be highlighted, not to forget several various holocausts.
There are MANY things far worse than terrorism, drugs, and childporn. Many of the named activists fight extinction itself. And as to the "big three" above, I find each of the arguments against them to be pallid, diversionary, straw men.

Thank you again for actual informed comment.

> childpron...

... Yadda yadda yadda.

That's always the "official story" as spun by US media.

RU recently incoporated Chinese technology into their own censorship regime. Maybe they are also incorporating US technology? To target the Russian underground? (See the comment just above yours.)

Sheriff Dave Clarke of Milwaukee County is apparently with the Trump transition team and has been mentioned as a possible future FBI Director in the Trump administration. He has repeatedly claimed (in speeches and Op-Eds) that the US is in a state of "civil war" (his words), apparently meaning BLM versus American police. (In fact, BLM is a nonviolent movement opposed to homicide whether committed by police or by some other party.)

It is much more likely that FBI is using NIT to attack journalists covering the protests at Standing Rock, BLM protests, anti-Trump rallies, government corruption, etc., rather than attacking "suspected child pron producers". It is very easy for them to quietly *define* anyone who uses Tor for any reason as a "suspected child pron producer", and to attack them under that assumption. But we who use Tor every day know very well that most people who use Tor every day have nothing to do with any criminal activity--- unless you regard all opposition to some governmental policy somewhere in the world as criminal.

> [FBI NIT malware] goes after childpron users!

That's always the official FBI spin, but the most recent attack on Tor users is more likely related to the Standing Rock protests, BLM protests, and anti-Trump rallies:

https://www.washingtonpost.com/news/the-switch/wp/2016/11/30/u-s-border…
U.S. border agents stopped journalist from entry and took his phones
Andrea Peterson
30 Nov 2016

> Award-winning Canadian photojournalist Ed Ou has had plenty of scary border experiences while reporting from the Middle East for the past decade. But his most disturbing encounter was with U.S. Customs and Border Protection last month, he said. On Oct. 1, customs agents detained Ou for more than six hours and briefly confiscated his mobile phones and other reporting materials before denying him entry to the United States, according to Ou. He was on his way to cover the protest against the Dakota Access Pipeline on behalf of the Canadian Broadcast Corporation.

Imagining that this attack is a response to something in the past few weeks is misunderstanding how the government bureaucracy works. They probably went through months of paperwork and judges and so on to arrive at approval to deploy it.

That's not to say that all of those barriers actually provided appropriate checks-and-balances. But do not underestimate how many barriers they have in place before deploying something like this. :)

Are you happy when a batch of cars has defective airbags since that bug goes after people who use cars to kidnap children? Do you not care about the bug also going after drivers who don't kidnap children?

Seth Schoen

November 30, 2016

Permalink

thx

Seth Schoen

November 30, 2016

Permalink

I don't understand - is updating Tor to this release make the browser susceptible to exploits? Or was the previous version subject to exploit, so the update fixes it?

The update fixes the vulnerability that was present in the earlier versions. Here is more information:

http://arstechnica.com/security/2016/11/tor-releases-urgent-update-for-…
http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-u…

But I can see why you're confused, given the number of comments that almost seem to suggest the exploit was a good thing, which is really quite frightening actually. It's really sad to see the Tor community starting to buy into the FBI's FUD.

Seth Schoen

November 30, 2016

Permalink

Does the exploit need JavaScript to be enable on browser, or can the exploit execute arbitrary JavaScript code that bypass NoScript?

As far as we know, if you had Javascript disabled (including via Noscript), this exploit would not work on you.

There appears to be some confusion about whether the vulnerability could be exploited without Javascript on, that is, whether it is possible to write a different exploit that works even when Javascript is disabled. The last I heard from Dan Veditz was that he thought no, it shouldn't be possible for this particular Firefox bug.

That said, we've also been hearing rumors about bugs in Noscript that would let a website sneak some javascript past Noscript. So it would seem you might be in better shape putting the Tor Browser security slider to high than you are relying just on Noscript.

Yes but be sure to set security slider to high first.
Very few people will have changed settings manually, meaning you'll stand out more if you just change JS and leave everything else on lowsec. This is why Orfox should have a security slider.
Apparently you also have to disable images, which is impossible(https://trac.torproject.org/projects/tor/ticket/20772) and nobody seems to believe that it should be possible, neither at Mozilla nor at Tor Project.

Let's say I'm using the slider at the highest position, does it make a difference if Noscipt blocks the javascript or if I block it straight in the Browser?

Are there cases Noscript (js globbaly diabled) could get tricked into running javascript but browser wouldn't? (it's not about this particular exploit)

Short version; set security slider to high, and goto about:config and if javascript.enabled equals "True", then toggle it to "False".

Long version;
I don't know that but here's what I know.
If there IS a problem and NoScript gets bypassed, you're almost certainly more secure with javascript.enabled toggled off (set to "False" in about:config).

However, you might be less anonymize, because if an attack is found against NoScript and you're one of a very few number of people who manually disabled, your browser is more fingerprintable; see https://panopticlick.eff.org

But if there's an attack that runs javascript past NoScript the javascript itself might do something far more deanonymizing than just saying "this page was viewed or post was written by one of the few people we couldn't attack"; if the attack isn't blocked it might escalate privileges and install permanent malware or send back hardware serial numbers, which will likely deanonymize you far more than being one of the few people immune to attack; there will be only ONE persin with the same exact MAC address/CPU serial number/etc.

If no attack succeeds in breaking NoScript it doesn't matter if you set javascript.enabled to false or not. But NoScript gets vulnerabilities like any software. The less software that you count on working right, the safer you are.

So putting the Tor Browser security slider to high is doing the same technically with javascript as turning javascript off in about:config? Means it turns JS off completely as NoScript is just a whitelist that could get bypassed theoretically? Is this correct?

Thanks in advance.